It can help to understand the jurisdiction issues to think of an analogous situation but with paper records instead of digital records. Consider this scenario.
I have a company that operates a business in the US. I keep records on paper in filing cabinets at my office.
I decide to archive some records offsite. I do this by engaging the services of a storage firm that operates a vault in an old mine in a remote area. To store records I ship them in a box to the storage firm, which slaps a barcode on the box, assigns it to an open spot in the vault, and puts the box there.
If I ever need the records I ask the storage firm for them, they look them up in their records to find where they are in the vault, retrieves the box, and ships it to me.
I later want to archive more records, and I do the same thing except this time I use a different storage company. It works the same way--they store boxes I send them, and ship those back to me upon request.
The first storage company is somewhere in the US. The second storage company is Mexico.
Suppose the US government wants to look at some of my records. If they want to get warrants to seize those records themselves by going to where they are stored (my office and/or the storage vaults) a US court would have jurisdiction to issue such warrants for the records in my office and the records in the storage vault in the US. For the records in the vault in Mexico they would have to go through whatever Mexico's procedure is to get the records seized.
They need to go through Mexico for the Mexican vault because they are trying to force someone in Mexico to do something they have no obligation to do. They want someone to go into the vault and seize the records.
If, one the other hand, the government gets a subpoena asking me for the records which in order to comply with I'll have to ask the vaults to send me the records, no one in Mexico is being asked to do anything other than provide the service to me that I hired them to do. The Mexican government does not need to be involved, and has no interest in being involved because what is happening in Mexico is just normal operation of the storage service there.
The situation with Microsoft that prompted the CLOUD Act was similar, although the records weren't archived records. Microsoft in the US operated an email service. They stored the email at various cloud providers around the world. One of those cloud providers was an EU company that was owned by Microsoft but separate from the Microsoft owned US company that provided the email service. The US Microsoft email company's relation with the EU Microsoft cloud storage company was simply that of a customer that bought their storage service.
The US Microsoft email company had the right to retrieve any data it stored at that cloud service (or at any other cloud service it used) at any time. Nobody at the cloud storage company would have to be involve or even aware when this happened. To them it is all just customers using the storage APIs to access the customer's data.
There are GDPR issues, but note those same GDPR issues would also apply if the US company was storing data about EU people in cloud storage that was entirely in the US (their own or at a separate US cloud provider whose servers were in the US).
I have a company that operates a business in the US. I keep records on paper in filing cabinets at my office.
I decide to archive some records offsite. I do this by engaging the services of a storage firm that operates a vault in an old mine in a remote area. To store records I ship them in a box to the storage firm, which slaps a barcode on the box, assigns it to an open spot in the vault, and puts the box there.
If I ever need the records I ask the storage firm for them, they look them up in their records to find where they are in the vault, retrieves the box, and ships it to me.
I later want to archive more records, and I do the same thing except this time I use a different storage company. It works the same way--they store boxes I send them, and ship those back to me upon request.
The first storage company is somewhere in the US. The second storage company is Mexico.
Suppose the US government wants to look at some of my records. If they want to get warrants to seize those records themselves by going to where they are stored (my office and/or the storage vaults) a US court would have jurisdiction to issue such warrants for the records in my office and the records in the storage vault in the US. For the records in the vault in Mexico they would have to go through whatever Mexico's procedure is to get the records seized.
They need to go through Mexico for the Mexican vault because they are trying to force someone in Mexico to do something they have no obligation to do. They want someone to go into the vault and seize the records.
If, one the other hand, the government gets a subpoena asking me for the records which in order to comply with I'll have to ask the vaults to send me the records, no one in Mexico is being asked to do anything other than provide the service to me that I hired them to do. The Mexican government does not need to be involved, and has no interest in being involved because what is happening in Mexico is just normal operation of the storage service there.
The situation with Microsoft that prompted the CLOUD Act was similar, although the records weren't archived records. Microsoft in the US operated an email service. They stored the email at various cloud providers around the world. One of those cloud providers was an EU company that was owned by Microsoft but separate from the Microsoft owned US company that provided the email service. The US Microsoft email company's relation with the EU Microsoft cloud storage company was simply that of a customer that bought their storage service.
The US Microsoft email company had the right to retrieve any data it stored at that cloud service (or at any other cloud service it used) at any time. Nobody at the cloud storage company would have to be involve or even aware when this happened. To them it is all just customers using the storage APIs to access the customer's data.
There are GDPR issues, but note those same GDPR issues would also apply if the US company was storing data about EU people in cloud storage that was entirely in the US (their own or at a separate US cloud provider whose servers were in the US).